Cloudmark Security Blog

Black Hat 2014: Google Products Might be Watching… Maliciously

Both Android and wearable device security have been a common topic among talks at Black Hat this year, and it seems Google may have passed on some unintentional headaches in both arenas. Jeff Forristal of Bluebox spoke on worrisome security practices used by Android that affected all Android users since January of 2010.

Dubbed “FakeID,” the vulnerability centers on Android OS liberally allowing self-signed certificates and the resulting impersonation that can result. Each application installed on an Android device has a unique identity cryptographically signed that is used for, among other things, application permissions. Due to the ability to self-sign, a malicious app can simply impersonate that exact signature the OS is looking for that is associated with a different app.

But, what would a juicy vulnerability be without a crafty example that involved Adobe Flash? It would seem that the Android OS specifically checks for one such signature, Adobe Flash (oh, the irony), that is hardcoded into its very open source and grants it the ability to act as a webview plugin to all other applications installed on the device. Because of this, anything masquerading as the Adobe Flash could hijack data, steal permissions, and generally do what ever it’d like with any and all other apps on the device. Another example Jeff presented warned of the potential damage associated with hijacking Google Wallet and its access to NFC. For more details on this attack, Jeff’s provides a deeper dive here. Thankfully, this was responsibly disclosed to Google, and they’ve since released patches for this general vulnerability.

Bay Area residents are also no stranger to the skepticism and drama surrounding Google products. Whether in protest of gentrification or privacy concers, Google’s glasses-mounted device has led to several heated exchanges and even assaults in San Francisco and surrounding areas. People might have even more to be concerned with now thanks to a group of cyber forensic researchers at the University of Massachusetts.

Focusing on the use of Google Glass, the team laid out methods for discretely stealling a victims passcode or login from a distance. As an attacker, they were able to (automatically, not guessing) reassemble what was input by simply recording via Google Glass from over ten feet away. Simply looking over someones shoulder to eyeball their PIN number isn’t a new concept, as evidenced by large privacy screens on many modern ATM locations. However, the group claims that they can steal passcode inputs from about ten feet away with more than 98% accuracy. If you were worried about Google Glasses encroaching on your Saturday evening Karoke performances, now you may very well need to be wary of using your phone or tablet at the local coffee shop too.